The Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended the Health Insurance Portability and Accountability Act (HIPAA) in 2009, required OCR to conduct a pilot audit program to assess HIPAA compliance. OCR established the audit protocol, which is searchable and organized around modules, to conduct the audits. The first 20 preliminary audits have been conducted; in all, 115 covered entities will be audited in the pilot program, which will end in December 2012.

The Security Rule requirements for administrative, physical, and technical safeguards.

The requirements for the Breach Notification Rule.

The goal of the audits is to analyze trends, improve overall compliance and identify best practices, according to Linda Sanches, senior advisor for health information privacy at OCR, reporting on the audits at an OCR/NIST conference in June. OCR does not plan to penalize auditees found in violation, though it will do so if it uncovers “serious compliance issues,” she said.

Sanches reported that the preliminary audits have uncovered many violations of HIPAA, with the most problems (65 percent) in keeping electronic patient data secure.

“There are more struggles and more individual requirements [in the security rule],” she noted. Two of the biggest areas of weakness found were in entities' failure to conduct risk analysis to identify vulnerabilities in their security programs, and to manage any risks found.

Conducting a risk analysis is also a requirement of the Meaningful Use incentive program.

“It is no longer acceptable to be noncompliant,” warned Leon Rodriguez, director of OCR, who also spoke at the conference.

Sanches recommended that covered entities use the protocol to conduct self-audits of their compliance with HIPAA. She also recommended that they find, track and account for all patient data, including those on new devices, and use the guidance on OCR's website.